My Top 10 Priorities for Improving Internal Auditing​​​

​Dan Swanson recently posed the question, "Where should IA focus its efforts over the next 1-2 years?" This was my reply:

My suggestion for IA is:

Work with management to improve risk management processes.

Work with the board to improve risk oversight.

Move to formal periodic reporting on the adequacy of governance, risk management, and related control processes.

Move to an internal audit program that is focused on providing assurance and consulting services relative to the higher risks to the business as a whole. Move away from bottoms-up auditing (we have to audit the Sydney factory because it is large) and middle-down auditing (IT is important, so we have to audit IT general controls in their entirety), which are not based on risks to the business as a whole.

Move to an internal audit program where the risk assessment is updated at least monthly, ensuring that today's risks (and perhaps tomorrow's) are being addressed, rather than yesterday's.

Improve the use of technology, and consider building a continuous auditing program as described in the IIA GTAG or a continuous risk and control assurance program described in my paper.

Address the issue of whether management and boards are receiving sufficient, timely, reliable, and current information on which to base their decisions. See this post.

Address the risk of ineffective management, hiring practices, etc. See two posts, here and here.

Be introspective and constantly ask whether IA is adding the value it can, how to be more of a rock star and drive improvements to the business, and how has technology and best practice changed — can I leverage it better?